CVE-2025-11792
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect Cloud Agent for Windows. Attackers can exploit DLL hijacking to execute arbitrary code with elevated privileges. Only Windows systems running vulnerable versions of the Acronis agent are affected.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains SYSTEM-level privileges, installs persistent malware, accesses sensitive data, and moves laterally across the network.
Likely Case
Local attackers escalate from standard user to administrator privileges, enabling them to disable security controls, install backdoors, or access protected system resources.
If Mitigated
With proper endpoint security controls and limited user privileges, exploitation would be detected or prevented, limiting impact to isolated systems.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity once an attacker gains initial access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 41124 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-9439
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect Cloud Agent to build 41124 or later. 2. Restart the system to ensure the patch is fully applied. 3. Verify the update was successful using the verification steps below.
🔧 Temporary Workarounds
Restrict DLL search path permissions
windowsModify file system permissions to prevent unauthorized DLL loading in vulnerable directories
icacls "C:\Program Files\Acronis\*" /deny Everyone:(OI)(CI)(RX)
Enable DLL Safe Search Mode
windowsConfigure Windows to use Safe DLL Search Mode to prevent loading from current directory
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement strict endpoint security controls to detect and prevent DLL hijacking attempts
- Apply principle of least privilege to limit user accounts and restrict local access to vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check the Acronis agent version in Control Panel > Programs and Features or via command line: wmic product where "name like 'Acronis%'" get versionCheck Version:
wmic product where "name like 'Acronis%'" get versionVerify Fix Applied:
Verify the agent version is 41124 or higher using the same commands, and check that no unauthorized DLL files exist in Acronis installation directories📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unexpected locations
- Acronis agent logs showing abnormal behavior or crashes
- Security logs showing privilege escalation attempts
Network Indicators:
- Unusual outbound connections from Acronis agent processes
- Lateral movement attempts from previously compromised systems
SIEM Query:
EventID=4688 AND ProcessName LIKE '%acronis%' AND ParentProcessName NOT LIKE '%acronis%' AND NewProcessName LIKE '%.dll'